Your Passwords vs The World

Protecting Your Passwords

What is a Password?

Passwords are a piece of the puzzle that . Usernames identify who we are or which account we are trying to access. A password verifies the person trying to access the account as the authorized user by validating a piece of information only the person who has access to the account would know.

Why Are Passwords Important?

Passwords help keep our data safe period. A PIN number is the same thing as a password, it is an identifiable string of information that only the authorized user would know. When you fail to use a password, your data becomes at risk. Luckily pretty much every account out there requires the use of a password and some even go the extra step to make sure your password is secure.

What is the Meaning of a “Secure” Password?

A secure password will generally have a larger number of characters and include a mixture of upper/lower case letters, numbers and a special character. The reason for this added complexity is to increase the time it would take to guess the password using a method known as brute force. Brute force password cracking is when an attacker is actively attempting to guess your password without any knowledge of what the password may be. Passwords that contain only a small number of letters (less than 10 upper or lower case) can be guessed by a computer almost instantly. Using less than 10 numbers only and it can be guessed even faster. When mixing numbers and letters together the time increases significantly and when you introduce special characters it becomes exponentially harder. When you use a mixtures of more than 10 letters, numbers and special characters, the time to guess the password grows from mere seconds to hundreds of years.

But we will never be able to remember a random string of numbers letters and characters. What is instead suggested is that we use what is called a “passphrase”. This is a long password that is made to be complex, difficult to guess yet easy to remember. A passphrase works more like a small sentence and substitutes some letters for numbers and special characters. A user might make a passphrase “I like apples” to “[email protected]$”. Easy to remember yet almost impossible to guess.

Why You Should Never Reuse the Same Password?

Using the same password is a terrible idea and chances are you probably do it as well as a vast majority of the population. When we use the same password, we open all of out accounts to the same level of vulnerability. Lets say for example that the password for your favorite retailer is the same password that you use on your email, your bank and your work computer. Suddenly that small retailer faces a data breach and all user accounts are compromised. By using the same password, suddenly your small retail account becoming compromised also became your email, your bank and your work account being compromised. Chances are you don’t pay attention to every data breach that happens which means you wouldn’t change your passwords and this leave yourself open to exploitation.

How Can You Remember A Different Password for Every Account?

It’s simple, use a password manager. If you are reading this article and only retained one thing from this, I want it to be this. Go sign up for a password manager IMMEDIATELY. There are free ones out there offered by Apple, Google, Mozilla and there are paid ones such as Dashlane and LastPass. They cost about the same as a home streaming subscription and if you value your ability to binge watch that new TV show that just came out over your ability to have access to your data, then you need to look at your priorities.

Password managers store all of your passwords in one easy and convenient location. Not only this, but you can also store other important information such as credit cards, ID numbers, documents, and more. If you need to jot down an important note, password managers let your store important text information as well. Go and get one, like right now. Go start using it and keep reading the article to learn more valuable reasons why you made the best decision by getting one.

How Can I Further Protect My Passwords?

Using a password alone is not enough to protect yourself sometimes. Like discussed before, a password is a string of text that simply identifies “what we know” but there are other ways to authenticate logins. Another method is “what we have”. This uses a physical token such as an access card or a USB token. This is increasingly being known as 2FA (Two Factor Authentication) or MFA (Multi-Factor Authentication). This is generally used IN ADDITION to a password and means that not only does the person logging in have to know their password but they also have to have a physical token or device that only the authorized person would have access too. Another lesser used method is “what we are” and this uses authentication methods such as biometrics (iris, fingerprint, or voice recognition). Biometrics have become easy to exploit and bypass in the past such as using pictures to bypass facial recognition but are becoming more complex and difficult to thwart as technology progresses.

Some Passwords We should Protect More Than Others

While we should be concerned about all of our accounts becoming compromised, there are some that we should take extra precaution when securing. As mentioned before, a password manager would store all of our passwords so this sill immediately jump to the very top of the list as the most important account that should be protected. Now, you cant use a password manager to remember the password for itself so that password should be long, complex and yet easy to remember (although I guess if you use 2 password managers that would be possible). Use a complex passphrase and you should be good. Most password managers are very good at securing your account. When logging in from a new device or location they will ask to verify this a second way. You might have to verify logins every few weeks as an extra strep as well.

Other important accounts might be your cloud storage, healthcare login, bank account, but one of the most overlooked accounts that need to be protected more than anything (possibly even more than a password manager) is your email account. Our email is practically tied to everything we own. When we need to reset a password, it usually gets sent to our email. When a special one-time code is generated, its often sent to our email by default. Email compromise is a serious topic and it is monitored by the FBI’s Internet Crime Complaint Center (IC3). This is known as Business Email Compromise / Email Account Compromise (BEC/EAC) and is one of the most reported forms of internet fraud reported to the FBI. The FBI reported over $1.8 billion (as in billion with a B) from fraud and exploitation. Your email account being compromised is about the closest thing to identity theft on the internet, if not worse. Your email should have some of the strongest safeguards possible. Enable 2FA and make sure you are not clicking on random links.

How Are Passwords Stored?

In order to understand how hackers are able to get passwords you first have to understand how passwords are stored on a server. You, as a user, do not have control over how a password is stored, the trusted entity (whoever you have your account with) needs to understand the best practices of the industry and follow certain guidance and regulations. Passwords are generally never stored in plain text (meaning they can be read as they appear) and are instead stored as a hash.

Hashing vs Encryption

A hash is what is generated when you take the plain text of a string and you use an algorithm to encode this text into a random string. You might think that a hash is a form of encryption, but it is more of a form of obfuscation. There are a few differences from hashing and encrypting. First, hashing is done using the same algorithm meaning that the same hash will be produced for the same word (we will talk about why this is important in a bit). Unlike encryption where the algorithm is the same but the encrypted text is dependent on the key that is used (and this will always be different). Unlike encryption, hashes are one way meaning that hashes are not meant to be reversed, unlike encrypted text which is mean to be decrypted back into plain text in order to be used.

So why are hashes made to be this way? Well, hashes allow a service to store your password securely so that if the hash was ever discovered that your account would not be in danger (entirely). Having the hash disclosed is still dangerous bot not as dangerous. When you log into an account, your password is turned into a hash. This hash is then compared to what is stored in the server. If the two match then your account is authenticated.

How Do Hackers Get Passwords?

Hackers will get into your account using a number of methods that involve cracking the password. One ay to try to get into an account would be trying to guess the password manually but this would take forever especially if you have no clue what it might be and you are just trying to brute force from random.

Another way would be to use password cracking software. This is a special type of malicious software taht is used to take 2 password hashes and compare them together. Hackers will use rainbow tables (pre-generated hashes) or wordlists from previous breaches in order to intelligently compare a hash against known used passwords. This is how a hacker is able to take that seemingly unimportant account and use that same password that you resuse in order to compromise your more sensitive accounts. Another method is by using a data breach database (such as Dehashed) and seeing looking at passwords used by a user that may have been compromised.

Weak passwords have been at the center of some of the biggest compromises. The largest data breach to occur in 2020 with Solar Winds was because a hacker was able to guess the admin password. The consequences were devastating but could have been mitigated for the most part had the administrators used a stronger password.

Check to See if Your Account Has Been Compromised

Any good password manager is going to monitor major data breaches and alert you when a data breach occurs on any of the accounts that you have, The first thing you should do is change your password then identify the scope of the threat to see if there are additional steps that need to be taken.

Alternatively you can manually check by looking on a website such as dehashed.com or haveibeenpwned.com. Make sure that your passwords are strong, protected and not re-used.

Author: Christian McLaughlin

Christian is an information security expert working as a security engineer, researcher and penetration tester. He served his country proudly as a sailor in the US Navy for 7 1/2 years before transitioning out into the private infosec field. When not working, he enjoys practicing music, playing video games, or just learning more about computers and technology.